CyberWire Daily - Roya Gordon: Becoming a trailblazer. [Research] [Career Notes]
Episode Date: August 21, 2022Roya Gordon, a Security Research Evangelist at ICS cybersecurity firm Nozomi Networks, started her career as an intelligence specialist in the U.S. Navy. After her time serving, Roya spent time as a C...ontrol Systems Cybersecurity Analyst at the Idaho National Laboratory and then took the role of Cyber Threat Intelligence Manager at Accenture. She shares her story after the NSA accepted her and then quickly diverted, creating a new path for Roya to follow. She shares the jobs she went after along the way, leading up to Nozomi Networks and how she wishes to be a trailblazer for young black women everywhere. She hopes to shape young women's minds on what the cybersecurity industry is actually like, in hopes that she can be a figure people look up to. We thank Roya for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security.
My name is Rorya Gordon, I should be a lawyer.
And I actually liked the idea.
So in middle school and high school, I was in pre-law magnet programs.
I thought I was going to be a lawyer.
I had no idea of what cyber was, so my path was to be a lawyer. After high school, didn't end up going to
college right away. I joined the Navy. I was in ROTC and it just had a big influence on my life.
And I was like, yeah, I want to join the Navy. So I did intelligence. This was before there
was cybersecurity in the Navy. I worked a lot with the cryptologist. So a little bit of technical
stuff there, but I was still doing threat intelligence, terrorism and tracking military
vessel safety as they were conducting exercises and sailing the seas. I got out in undergrad.
I was still kind of on the mission of doing national security.
So I got my degree in international relations
and I was planning on joining the FBI, the CIA, the NSA.
That was kind of my new path.
And then I got introduced to tech in grad school
when I started studying cyber warfare.
I was originally looking at other parts of the IC, the intel community.
And so I was applying everywhere, NGA, FBI, DIA, you name it.
And in grad school, I got picked up by the NSA and they gave me a conditional
job offer. And they were like, you know, if your clearance comes back good, then you will start,
you'll be a part of NSA's like cyber program. It was a three-year program. I got to learn all about
the agency. So once I realized I was going to be in the NSA, I was like, crap, I should probably
start learning about cyber stuff.
Because up until that point, I just had no clue.
So that's when I kind of took it upon myself to choose a capstone project at my alma mater in cyber warfare, because I wanted to kind of have some kind of basis as to what cyber was.
And I got to learn about nation state threat actors.
And it wasn't technical. It
was more theoretical. But that's kind of how I started getting into cyber because I was NSA bound.
So I graduated from grad school. I had my official letter for the NSA in hand. I was getting ready to fly to DC.
I already set up a place to live. Like I was going to start at the NSA. And about a month,
maybe a couple of weeks before my start date, my recruiter at the NSA calls me and says,
I don't know what's going on, Roya, but the NSA is rescinding your job offer.
on Roya, but the NSA is rescinding your job offer. So I'm like, okay, what does this mean?
And she's just like, I don't know. You're going to have to write a letter to the NSA,
but you're not going to be starting. Like you no longer have a job here.
So that kind of put me on my butt for a lack of a better term, because I didn't know what I was going to do now.
I thought I had it planned out.
So I was back to work at the NSA.
Now I'm being offered jobs, which I don't want to say was beneath me, but I knew I could do better and I didn't want to lock myself into it.
So I was turning down jobs because I was like, I know what I'm looking for.
I know where I want to be. It was difficult. Like the first three weeks, I don't think I did anything but like cry.
I know moment of vulnerability because I was crushed. I moved back into my parents' house
and I have no job now. But yeah, it did take some time.
so I started just looking up intelligence jobs and I realized there's a lot of private companies that want intelligence so I started applying to all of these cyber jobs that I personally was not
qualified for but I applied anyway and I applied for a position at Idaho National Laboratory.
I think the job description was cybersecurity researcher.
And I read it and I'm like, I can research stuff.
So I applied and the recruiter, bless her heart, because she could have just tossed my resume to the side.
But she was like, you know what?
We're looking for someone with more technical chops for this position.
So you don't qualify.
However, there's another part of the lab that I think your background and your skills matches up perfectly with.
So she passed me on to someone else and it was like an eight hour interview.
And after all that, they said, you know what?
You have all the other skills that we're looking for.
You have an Intel background.
You're analytical.
You know how to write. You know how to brief. We'll teach you the cyber stuff. And they hired me. And for three years, I dove right into OT, ICS, cybersecurity headfirst.
I went from like a medium-sized company, like at Idaho National Laboratory,
I went from like a medium-sized company like at Idaho National Laboratory to like Accenture.
Half a million people worldwide, such a large company, to now a smaller company, Nozomi Networks.
What I like about it is I get to learn so much more outside of my role, but it also enables me to do my job. So at a big company, you know, everyone
kind of gets pigeonholed into doing one thing and you do it well, but you're never going to learn
everything else. And because the company is so small, I see myself interacting with marketing
and PR, with the sales engineer, with BDN alliances. And then of course, with the security
research team that I'm a part of. And I get to see
the big vision of a technology company and not just the one small thing that I do. So during the
pandemic, I gave a lot of cybersecurity advice to a lot of my friends and associates that lost their
jobs. They didn't know what to do now. And they were looking at me like, you seem to be doing
great and you're in cybersecurity. How do I get into it? And I had to say, hold on, like, let's utilize and leverage
your background and your experience into cyber. So for example, I know someone who lost her job
at a financial institution. I was like, financial institutions need cyber. So your background can be leveraged.
Maybe take a couple of these courses, get these certifications, look at some job descriptions,
and align what the certifications you're going to get to what the industry is looking for.
Utilize what you have. Like cyber needs all types of skills. It's not a one-size-fit-all type of thing. I think me being a woman in this field
seems to, and I don't want to say hurt me more, but I seem to have more run-ins with that being
an issue versus me being a person of color. Only because they assume that a woman, she's not
technical. She doesn't know what she's talking about. I mean, I've been in OT for so long and
I still have people trying to explain to me what industrial control systems are. Outside of that,
I don't think I've experienced that. Thankfully, I've just been working with people more
open, more cultured, and just respect me a little bit more.
I guess I want to be remembered as, I don't want to say a trailblazer,
but obviously someone that is representing people of color, women of color in this space.
I try to speak at conferences,
you know, I'm doing webinars and it's not for me to just feel good about myself or, I mean,
obviously it's to make the company look good too, but it's also to kind of show people,
especially the youth, hey, you know, there's a woman, there's someone black that's doing these
things and kind of gauging their interest in this field,
especially with girls. I used to volunteer with Girls Who Code and just changing their minds
about what working in cybersecurity looks like. You know, you can still have your fun hobbies.
You can still love fashion. You can still, you know, like your Instagram and your TikToking,
but you can also still be a really serious cybersecurity professional.
So I just want to be an example that people can look at to say,
she did it, so I know I can do it too.
If not anything else, I think that would make me happy. And now, a message from Black Cloak.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.